Enterprise Mobile Device Security: Comparing IPSec and SSL VPNs

Two types of VPNs represent the majority of global remote access use cases: IPsec and SSL. Extending remote access to mobile devices will work with either type of VPN. Your choice will likely depend on what your vendor provides, and your company’s policy requirements.

To understand the similarities and differences between IPsec and SSL VPNs, you need to understand VPNs in general:

VPNs allow ways to transmit sensitive data across shared networks without it being intercepted or stolen.

VPNs were initially designed to service site-to-site networks. Before the availability of VPN solutions, organizations relied on expensive, leased point-to-point data circuits, such as T-1 lines leased from the major telecommunications providers, or shared but still relatively expensive technologies such as Frame Relay.

VPN allows organizations to enjoy the benefits of shared networks, without the security concerns that are typically associated with transmitting data over the Internet.

VPN provides encryption for traffic as it traverses the Internet, ensuring that this traffic is just as secure as if that traffic were to traverse a separate point-to-point connection.

VPN’s which are site-to-site are responsible for authentication (identifying users or machines attempting to establish a VPN connection), encryption (to ensure that any intercepted traffic can’t be read), and integrity mechanisms (to ensure that traffic isn’t tampered with while in transit).

Over time, VPNs were adapted to be used by remote workers. When applying VPN to remote-worker use, many of the concepts and protocols from site-to-site VPN connections remain the same: authentication, encryption, and integrity mechanisms. IPsec and SSL VPNs make up the majority of today’s enterprise remote access deployments. Here is how the security protocols work for each type of VPN:

IPsec VPNs provide a secure, network-layer (Layer 3) connection to the corporate network. As data traverses the Internet from the mobile device to the VPN gateway, it is encapsulated and encrypted. After the traffic passes through the VPN gateway and onto the LAN, it is no different from traffic coming directly from end users on the LAN.

The result is access that is very similar to access that a user would get when physically connected in their own office: full connectivity to all resources and applications. Of course, this level of access isn’t without its disadvantages. By limiting access to specific applications, you can control the potential risks associated with providing more complete access from a compromised or insecure machine.

SSL VPNs, the type of VPN most commonly deployed for new enterprise remote access deployments, can almost always provide the same Layer 3 VPN capabilities that are provided with IPsec VPNs, while also providing the additional control necessary to restrict access for users or groups of users.

As an example, a user attempting to access the corporate network from a company-owned Microsoft Windows laptop, with all the required security fixes and patches, might be an ideal candidate for full Layer 3 access. That same user attempting to access from his personally owned Apple iPhone, on the other hand, might be subject to stricter controls that allow him access to only a few web-based applications and e-mail.

Of course, whether you have an IPsec VPN or an SSL VPN, platform support is a key requirement. Not every vendor supports every mobile platform available, so it’s a good idea to work with the vendor of your VPN gateway to determine whether the existing product supports the types of mobile devices that you plan to provide access to.